[Dnsmasq-discuss] TTL override for clients?

Fredrik Ringertz Fredrik_Ringertz at livewire-connections.com
Wed Apr 21 17:31:12 BST 2010


Hi Simon,

Thank you for clarifying that! If a packet is signed, is it ever cached by dnsmasq? I would assume not because it would contain a timestamp of some sort?

I have to admit that I haven't dealt a lot with signatures before in DNS, am I correct in thinking they are only used when a client wants to initiate a dynamic update? Or can it be used in standard lookups? I only have 10-15 or so clients behind my dnsmasq server and none of them are in need of anything more then normal record lookups.

Again, really appreciate your help and quick replies on this!


Best Regards

Fredrik

-----Original Message-----
From: Simon Kelley [mailto:simon at thekelleys.org.uk] 
Sent: 21 April 2010 16:45
To: Fredrik Ringertz
Cc: dnsmasq-discuss at lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] TTL override for clients?

Fredrik Ringertz wrote:

> The only problem I have is that the first query to dnsmasq now
> returns the original ttl, and every query after that seems to return
> my fixed value until the original ttl has been reached. I am assuming
> it probably uses another function somewhere when it is a brand new
> query that it needs to add to the cache as well? Any idea where about
> it might be located?
> 

That's because when the information can't be found in the cache, dnsmasq
forwards it to an upstream server. The reply is scanned for cache-able
information, and then returned, unchanged, to the original requestor.
The information doesn't come from the cache, so it's not modified by
your change.

Fixing this is actually more complex. You need to modify the code of
extract_addresses() in src/rfc1035.c so that _after_ it has copied the
data into the cache, it modifies the DNS packet with the shorter TTL.
Look for code like

GET_LONG(attl, p1)

and add code using PUT_LONG() to update the packet.

There's a further wrinkle: if the DNS packet is signed, it can't be
changed at all. extract_addresses() is called from only one place, in
src/forward.c and that routine already has a variable called is_sign
which determines this. You'll have to add is_sign as an argument to
extract_addresses() and make the ttl-fixing conditional on is_sign being
false.

Cheers,

Simon.






More information about the Dnsmasq-discuss mailing list